Difference between revisions of "IIS Security Practices"
From MgmtWiki
(Created page with "==Full Title or Meme== Security practices to follow on IIS for good security. ==Context== * Assuming IIS (or any web platform) is running as a front end web server, it should...") |
(→References) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
==Context== | ==Context== | ||
* Assuming IIS (or any web platform) is running as a front end web server, it should never be trusted with high value assets and assumed to be hackable. Still there are ways to make the hacks much less frequent. | * Assuming IIS (or any web platform) is running as a front end web server, it should never be trusted with high value assets and assumed to be hackable. Still there are ways to make the hacks much less frequent. | ||
| + | * [https://www.dnsstuff.com/windows-iis-server-tools Ultimate Guide to IIS Server: What Is IIS? 2020 IIS Tutorial] 2020-02-20 | ||
| + | ==Solutions== | ||
| + | ===Application Pool Identities=== | ||
| + | Starting with Server 2008 R2 IIS services will not longer run as network services but with virtual [https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities Application Pool Identities] that have no entry local or domain accounts, and hence no "Current User" cert store or HKCU registry entries. | ||
==References== | ==References== | ||
| + | * This provides details for the wiki page [[Web Site Security]]. | ||
| − | + | [[Category:Best Practice]] | |
| − | + | [[Category: Web]] | |
| − | + | [[Category:Security]] | |
Latest revision as of 09:22, 8 April 2022
Full Title or Meme
Security practices to follow on IIS for good security.
Context
- Assuming IIS (or any web platform) is running as a front end web server, it should never be trusted with high value assets and assumed to be hackable. Still there are ways to make the hacks much less frequent.
- Ultimate Guide to IIS Server: What Is IIS? 2020 IIS Tutorial 2020-02-20
Solutions
Application Pool Identities
Starting with Server 2008 R2 IIS services will not longer run as network services but with virtual Application Pool Identities that have no entry local or domain accounts, and hence no "Current User" cert store or HKCU registry entries.
References
- This provides details for the wiki page Web Site Security.
